The Pragmatic Guide to Encryption for Healthcare Startups in the US

Photo by Alexander Sinn on Unsplash

It isn’t easy to navigate regulations around Protected Healthcare Information (PHI). This article shows how startups can tackle PHI regulations with three types of encryption and meet a high data security bar with ease and confidence.

This concise and pragmatic guide for Founders and Lead Engineers helps navigate the highly regulated space of encrypting PHI using tools that help minimize total-cost-of-ownership and time-to-market.

Regulations in the US

HIPAA defines the encryption of Protected Health Information as an addressable requirement. An addressable requirement doesn’t mean it’s a good problem to have. It means we have this problem now. It requires us to “implement a mechanism to encrypt PHI whenever deemed appropriate.”

The requirement uses vague language because technology changes while the language used by laws does not. Prescribing a specific type of encryption would be out-of-date very quickly. The spirit behind the vague wording is for us to protect PHI with the latest best practices of encryption.

Here they are:

(1) Encryption in Transit

Encryption in transit is an essential type of protection because we don’t trust intermediate network nodes.

To set up, all you need is an X.509 certificate signed by a trusted certificate installed on your server. But the total-cost-of-ownership keeps on giving: when those X.509 certificates expire, and your team must renew them. Failure to update so will result in a service outage since expired certificates prevent clients from connecting. Luckily, all the best solutions automatically update your certificates for you.

Best Solutions:

(2) Encryption at Rest

Encryption at rest is an essential type of encryption because we don’t trust the physical storage medium of your service provider.

Best solutions for encryption at rest are product-specific but generally referred to as Server-Side Encryption (SSE).

Best Solutions:

  • AWS EBS: Server-Side Encryption is again free and easy, but you have to enable it on EBS volume creation. If you did not, you have to create a new encrypted volume and manually migrate everything over to the encrypted volume.
  • Google: Everything is encrypted at rest automatically.
  • Hammerspace: Everything is encrypted at rest automatically.

(3) End-to-End Encryption

End-to-End Encryption is an essential type of encryption because it’s the last defense against any cloud security event.

Best Solutions:

  • Peacemakr: Open-Source, full-featured free tier, drop-in solution for End-to-End Encryption
  • AWS Key Management Service: You could encrypt and sign, but you would still need an in-house solution for key distribution, management, and rotation.


If, on the other hand, you are pressed for time, resources, and capital — focus your resources on your core business logic and find a security company to partner with to help with PHI encryption regulative requirements.

My only ask is: please do one or the other. Don’t skip adding encryption now, as most likely you’ll never get back to it, or when you do, the required re-architecture bill to add security retroactively will be too large to justify.

Besides, all the best startups take data security seriously.

15+ Years experience leading security, Ex-Apple, Ex-Pure Storage, Ex-Symphony Communications, Co-Founder and CEO of Peacemakr, Lives in San Francisco.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store